Canada Border Services Agency
Symbol of the Government of Canada

ARCHIVED - IT Outsourced Services

Preliminary Survey

Warning This page has been archived.

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

April 2013

This document is also available in PDF (553 KB) [help with PDF files]


Table of Contents


1.0 Introduction

The Canada Border Services Agency (CBSA) has historically obtained a number of its information technology (IT) services from outside government departments (OGD) and third parties. In the 2011-12 fiscal year, the Agency spent roughly $180 million on outsourced IT services, which represents about 60% of the Agency's IT budget. The Canada Revenue Agency (CRA) was the major service provider to the CBSA with an allocation of $165 million in 2011-12. After the customs function of the former Canada Customs and Revenue Agency (CCRA) was transferred to the CBSA, the two agencies continued to share a common network and infrastructure. The Agency's other Government of Canada IT service providers include:

  • Shared Services Canada (SSC);
  • Citizenship and Immigration Canada (CIC);
  • Foreign Affairs and International Trade (DFAIT);
  • Public Works and Government Services Canada (PWGSC); and
  • Third party service providers managed by the CBSA.

The audit of IT outsourced services was included in the Risk-Based Audit Plan: 2011-12 to 2013-14 and approved by the CBSA Audit Committee. At the time, CBSA management identified several risks associated with the relationships with existing service providers including the inability to maximize value for money, and service providers having competing priorities and not being positioned to meet future CBSA requirements. The initial audit objectives aimed to assess controls within the processes of managing the provision of IT services and measuring the performance of services.

The service provision landscape changed significantly for the CBSA due to a major policy decision within the Government of Canada to centralize infrastructure services with the creation of Shared Services Canada (SSC). Created in August of 2011, SSC was established to consolidate, streamline and improve information technology infrastructure services across the federal government. SSC's mandate is to leverage economies of scale to provide all federal organizations with access to reliable, efficient, and secure IT infrastructure services. SSC inherited a number of IT services previously provided by the CRA with the responsibility for data centres, e-mail, data and telephony networks. Consequently, the CRA is no longer the main provider of infrastructure services to the CBSA; however the CRA will continue to provide distributed computing services (e.g. desktop support in regions), application and database support, IT security services and IT program management services to the CBSA, at an annual cost of roughly $56 million. These services are presently under review to assess the future of these services with the CRA.

Based on a series of executive level discussions, it was determined that the best approach for this audit was to complete the planning phase for the audit and return to the Audit Committee to determine the value of moving forward with an audit at this time. This preliminary survey covers the period from February, 2012 to October, 2012. It aims to understand the risks associated with services previously provided by the CRA due to the magnitude of costs and importance to the CBSA's operations. A preliminary survey provides an understanding of risks prior to conducting an audit, and offers the following advantages:

  • Helps clarify the objectives and scope of the audit;
  • Helps focus audit resources to significant risks, thereby providing greater value to management;
  • Provides a better understanding of the activity being reviewed; and
  • Determines what needs to be done, how and when.

2.0 Statement of Conformance

This preliminary survey conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The approach and methodology for this preliminary survey followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Internal Auditing Standards for the Government of Canada as required by the Treasury Board Internal Audit Policy. This preliminary survey provides a low level of assurance.

3.0 Key Survey Observations

Since the establishment of the Canada Border Services Agency in December 2003, both the CBSA and the CRA have worked towards building a mature process for managing shared information technology services. The relationship has evolved and improved from a simple separation of budget to the creation of joint CBSA/CRA committees and the establishment of clearer service definitions and service level agreements. With the creation of Shared Services Canada, the service management processes among the three organizations require clarification and refinement to address the complexity of operations and processes of service management, demand management and financial management.

The service arrangement with CRA requires further development of the Client/Service Provider model to advance its maturity. Service definition and service level agreements require further definition. While the service catalogue included service description, features, availability, price and service owner, there were limitations as the information was noted as either pending or generic. The agencies have made progress with respect to costing information, however, the financial framework and processes were not always clear and accessible in a manner that would allow management to sufficiently understand costs and benefits. Preliminary discussions are underway to explore options on the role of the CRA in providing services to the CBSA. This is to include an analysis to assess whether the CRA should continue to provide services to the CBSA or whether services will be transitioned to other service providers or back to the CBSA.

The service relationship with Shared Services Canada is at its initial stages, where governance within the CBSA and with SSC needs to be defined. The CBSA and SSC have agreed to an operating protocol that lists operating assumptions during the transition period and have established a business continuity framework to ensure the continuity of operations while SSC is being established. However, there are risks that service arrangements, performance and processes are insufficiently specified to meet the CBSA's business needs over time.

4.0 Recommendations and Management Response

Overall Management Response

The Information, Science and Technology Branch (ISTB) agrees that a full audit at the outset of Shared Services Canada's (SSC) mandate for Government of Canada (GC) data centres, e-mail and networks is not appropriate.

The ISTB also agrees that the significant amount of change in the GC IT services environment, brought about by the creation of SSC, has impacts beyond the services provided directly by SSC. The relationship of the CBSA to the Canada Revenue Agency (CRA) is also undergoing transformation. Portions of the CRA IT organization that formerly provided services to the CBSA were transferred to SSC.

The services that the CRA continues to provide to the CBSA are currently being analysed to determine whether the service model is optimal or if changes should be implemented to ensure value for money and service quality.

The transformation agenda currently being pursued in GC IT services generally creates an environment of elevated risk due to the amount of change being implemented. The ISTB is taking appropriate measures to identify and manage risk, and to ensure the continuity and stability of important outsourced IT services.

Recommendation 1: The Vice-President of the Information, Science and Technology Branch should develop an action plan to manage and mitigate the risks associated with IT outsourced services from CRA and SSC, including establishing performance measures for these services.

Management Action Plan

The ISTB has initiatives underway that are consistent with the recommendation of this report.

March 2014

With regard to the services provided by the CRA, the ISTB has:

  • Initiated a review of the six service areas provided to the CBSA by the CRA with a view to determining the best sourcing of services based on service alignment, quality and dollar value. It is expected that some services will be repatriated to the CBSA and some will remain outsourced to the CRA or an alternate service provider.
  • Defined service management processes in place for IT services provided by the CRA including a service level agreement that defines service deliverables and performance expectations. These service management processes will continue to be reviewed and adjusted on an ongoing basis to ensure alignment with altered or new service arrangements.
  • Used the Profile of GC IT Services to categorize its operational areas by function to support the transfer of resources to SSC in 2011, as well as to manage the service relationship with the CRA during service management and repatriation discussions that began in 2012. As part of the current analysis of the CRA services repatriation, the CRA services are being aligned to the Profile of GC IT service. The analysis is expected to be completed by March 2014.
  • Engaged actively with the CRA to clarify the services provided to the CBSA by the CRA and implement a management framework that links those services to costs and performance metrics. Existing quarterly service reports are being updated to include improved service metrics.
December 2014

With regard to SSC, the ISTB has advanced the following initiatives, some of which are completed and others are under development. As the relationship matures and through lessons learned, we will continue to solidify the operating models and engagement strategy over the course of the following year. The ISTB has:

  • Defined the CBSA "Ecosystem", describing the complexities of the multidepartment, multisystem CBSA IT infrastructure, service and interconnection environment required to support secure and efficient border management.
  • Defined priority services and established performance expectations particularly related to the monitoring, response and management of the infrastructure and systems contained in the CBSA "Ecosystem", irrespective of the lead department.
  • Engaged SSC in the definition of governance processes in multiple streams: e.g. operational governance, joint funding submission and project governance, governance around strategic planning priority setting.
  • With the High Availability Response Team (HART), implemented a systematic, interdepartmental process to monitor the performance of critical IT systems and infrastructure, and provide senior management visibility into IT incident management for critical departmental activities.

5.0 Conclusion

Given the transition point with SSC, and the implications to the arrangement with the CRA, it is recommended that the audit be deferred at this time. The Internal Audit team will monitor the implementation of the recommendation(s) and conduct an audit in the 2014-15 fiscal year.

Future audits are expected to evaluate some or all of the controls over outsourced services including aspects such as the achievement of business requirements, compliance with the contract, relationship management, functionality and controls of provided services, fulfillment of assurance requirements and governance from the CBSA's perspective. This should be accomplished to advocate the interests of the CBSA, wherein there is a common understanding of the boundaries of audits including the defined audit rights, and the functionality and controls provided by service providers.

6.0 Survey Observations

1. The relationship between the CRA and CBSA has evolved and improved since the establishment of the CBSA in 2003.

Since the establishment of the Canada Border Services Agency in December 2003, both the CBSA and CRA have worked towards building a mature process for managing shared information technology services. There have been improvements in the governance processes that have evolved from a simple separation of budget to the creation of CRA/CBSA joint committees and the establishment of clearer service definitions and service level agreements. With the creation of Shared Services Canada, the service management processes among the three organizations require clarification and refinement to address the complexity of operations of service management, demand management and financial management.

The CBSA and CRA have established a framework[ 1 ] to strengthen collaboration between entities, provide guidance and establish an escalation process. Both parties have defined a governance framework with multiple touch points including defined meetings and fora. The CRA/CBSA joint committees were also established with terms of reference to manage the provision of IT services.

Figure 1: CBSA-CRA Relationship

CBSA-CRA Relationship

2. The service arrangement with CRA requires further development of the Client / Service Provider model to advance its maturity.

The service arrangement between the CRA and CBSA was based on a shared environment and capacity, and initially not on a shared services model. Over the years, the agencies made efforts to move towards a shared service provider relationship with, for example, the definition of a governance structure and a memorandum of understanding (MOU). Given the nature of the relationship that originated based on a shared IT environment, there was no incentive to further define the relationship, including a comprehensive service catalogue or service level agreements. Information on cost drivers such as the number of databases hosted, or switches were largely available but not employed to determine service costs due to the nature of the relationship.

Service definition and service level agreements (SLA) require further definition. The Data and Technology Infrastructure Management (DTIM) Core Services Catalogue provides documentation of the IT services that DTIM provided to IT clients at the CBSA. The service catalogue included the service description, service features, availability and service level, price and service owner. There were some limitations, where pricing information was not readily provided within the service catalogue; the information was either noted as pending or generic (e.g. this service is priced on a project-by-project basis). Additionally, service levels were not detailed, wherein mostly generic availability indicators were documented (e.g. 24/7 operations).

In addition to the limitations of the service catalogue, the service level agreements had certain limits:

  • There were limited service level objectives metrics defined. Generally, availability is employed as the key metric.
  • Aside from work order-driven services, the prices of services were not indicated based on quantity or usage.

3. Progress made within the CRA and CBSA service arrangement does not provide accessible and clear costing information to CBSA management.

Progress was made to enhance cost management practices, particularly for work order-driven services, however the financial framework and processes were not always clear and accessible in a manner that would allow management to sufficiently understand costs and benefits.

The preliminary survey found that although not fully transparent to CBSA management, a costing model was employed for some services. For example, fees associated with a new network connection for a building were subject to a costing formula denoting that costs were assessed based on factors such as resource costs and usage. For a new network connection, the first year would involve the creation of a work order, which would include the costs for resources (salary), bandwidth and equipment. In the second year maintenance costs would be calculated based on administrative charges per month, an asset replacement fee, and usage (e.g. costs for bandwidth). However, the methodology was not always clear or available to CBSA management.

At present, service definitions do not clearly reflect cost drivers such as resource and usage costs.

4. The CBSA relationship with Shared Services Canada is in its initial stages, where governance needs to be defined. There are risks that service arrangements and processes are insufficiently specified to meet the CBSA's business needs over time.

The CBSA relationship with Shared Services Canada is in its initial stages, and challenges have arisen during the transition to Shared Services Canada, including the level of control that the CBSA can expect over service levels and costs. Risks associated with effective service delivery have increased due to the absence of a formal governance framework and other elements, such as the lack of a tailored service catalogue and formalized agreements such as an MOU and SLAs.

The governance framework previously defined between the CRA and CBSA is not present with Shared Services Canada. In addition, SSC provides generic service descriptions based on the Treasury Board definitions. A service catalogue has not been developed that is specific to the CBSA's service needs. Finally, agreements such as MOUs and SLAs have not been established between the CBSA and SSC, who have agreed to an operating protocol that lists operating assumptions during the transition period. Additionally, a business continuity framework is established to ensure the continuity of operations while SSC is being established.

Given the government-wide SSC mandate, the establishment of stronger governance arrangements between SSC and the CBSA is not a priority in the near future. Rather SSC plans to address its service standards and relationship to its full client base, which it refers to as "partner departments." This does present associated risks for the CBSA to manage, including:

  • SSC's ability to deliver services in a secure and efficient manner while meeting CBSA business standards and complying with legal and regulatory requirements.
  • The CBSA/SSC governance process that includes processes for defining service requirements, service definitions, agreements, and performance expectations and targets.

5. Preliminary discussions are underway to explore options on the role of the CRA in providing services. This includes an analysis to assess whether the CRA should continue to provide services to the CBSA or whether services will be transitioned to other service providers or back to the CBSA.

Shared Services Canada is now responsible for the network, e-mail and data centre services. The CRA provides desktop support in the regions, some IT Security, the desktop image, and support of application deployment and other services. The preliminary survey found that there are discussions underway between the CBSA and CRA to evaluate the remaining services with the CRA to determine:

  • whether services will remain with the CRA;
  • whether services will be repatriated to the CBSA; and
  • whether services will be transferred to other service providers such as SSC.

The expected outcomes include better definition of service relationships of the CBSA with both SSC and the CRA, to clarify organizational roles and manage complexity. The organizations plan to detail costs for each service to the degree possible as part of this exercise.

There are risks that service arrangements and processes are insufficiently specified to meet the CBSA's business needs over time. The governance framework will require revisions along with the service definitions within the service catalogue and the service level agreements for critical IT services. An SLA is one of the primary metrics used to measure performance.

7.0 Appendix A: – Risk Profile[ 3 ]

The resulting risk profile includes a determination of exposures based on the work performed during the preliminary survey, wherein control practices for areas of higher risk should be further assessed. The risk profile is an aggregate of risk exposures for the CRA and SSC; given the risks associated with a large-scale change of service providers, it is expected that the risk exposures have increased.

Control Description Potential Risk Exposure
Managing the Provision of IT Services
DS1.1 Service Level Management Framework Define a framework that provides a formalized service level management process between the customer and service provider. The framework should maintain continuous alignment with business requirements and priorities and facilitate common understanding between the customer and provider(s). increased
DS2.1 Identification of All Supplier Relationships Identify all supplier services, and categorize them according to supplier type, significance and criticality. Maintain formal documentation of technical and organizational relationships covering the roles and responsibilities, goals, expected deliverables, and credentials of representatives of these suppliers. same
DS1.2 Definition of Services Base definitions of IT services on service characteristics and business requirements. Ensure that they are organized and stored centrally via the implementation of a service catalogue portfolio approach. increased
DS2.2 Supplier Relationship Management Formalize the supplier relationship management process for each supplier. The supplier relationship managers should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs). increased
DS2.3 Supplier Risk Management Identify and mitigate risks relating to suppliers' ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. increased
DS1.3 Service Level Agreements Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arrangements. increased
Performance Measurement
PO5.1 Financial Management Framework Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT enabled investments, business cases and IT budgets. increased
PO5.4 Cost Management Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported. Where there are deviations, these should be identified in a timely manner and the impact of those deviations on programs should be assessed. increased
PO5.5 Benefit Management Implement a process to monitor the benefits from providing and maintaining appropriate IT capabilities. IT's contribution to the business, either as a component of IT-enabled investment programs or as part of regular operational support, should be identified and documented in a business case, agreed to, monitored and reported. increased
ME1.1 Monitoring Approach Establish a general monitoring framework and approach to define the scope, methodology and process to be followed for measuring IT's solution and service delivery, and monitor IT's contribution to the Agency. Integrate the framework with the corporate performance management system. increased
DS1.5 Monitoring and Reporting of Service Level Achievements Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analysed and acted upon to identify negative and positive trends for individual services as well as for services overall. increased
ME4.3 Value Delivery Manage IT-enabled investment programs and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise's strategy and objectives. increased

Notes

  1. CRA CBSA Governance Framework for the Provision of IT Services (Aug 2011)[Return to text]
  2. Based on Cobit 4.1, Information Systems Audit and Control Association (ISACA). [Return to text]